Outlining Structural Authorization Profiles

Objective

After completing this lesson, you will be able to outline the elements included in structural authorization profiles

Structural Authorization Profiles

You use the Plan version field to determine the plan version to which the defined profile applies. If you use a system that integrates the Personnel Administration and Organizational Structure components, note that plan version 01 is generally the integrated plan version.

In the Object type field, specify only object types that have an eight-digit key. In general, structural authorization checks are not carried out for external objects with a different key (for example, cost centers).

In the Object ID field, enter the number of the start object if you are using evaluation paths.

Use the processing mode to control whether a read authorization or maintain authorization for the relevant set of objects should be assigned. This field corresponds to the MAINT field in table T77FC. All function codes that have "X" in this field can be processed.

By entering a specific evaluation path, you can determine that the user is only authorized to access objects along this evaluation path. You must also assign a root object for the structure when you use an evaluation path. This root object can either be entered directly in the Object ID field or determined dynamically by a suitable function module.

Only use the Sign field if you want to create structural authorization profiles that process the structure "bottom up".

The Status Vector in Relationships

Use the status vector to determine which relationships are considered when the structure is created. If you define the status vector as 12, for example, all relationships that have the status active and planned are evaluated. The choice of status vector has no real effect on the status of objects. The status vector simply refers to the status of the relationships.

Display Depth

If you enter 0 as the value for the display depth, the corresponding tree is completely built. There is no limit to the depth of the tree.

Sign

If the field Sign is not pronounced, the structure is always evaluated from top to bottom.

The - sign can be used to process the structure from bottom to top. In the preceding example the structural authorization will only include objects in level 4 and level 3.

Period

This parameter is used to define the profile according to the validity period of the structure. The parameter has no influence on the period for which a user is authorized to access a given object. Unlike the general authorization check, the structural authorization check does not return periods of responsibility. Instead, the system indicates whether or not the user has authorization for a specific object.

If you select D (current day) for example, the structural authorization is extended to include only the structures valid on the current day. If you define a structural authorization like this for a manager, the manager is authorized to access data for all persons who are currently in his or her organizational unit.

If you do not make an entry, there is no restriction by validity period of the structures. In this case, the manager is authorized to access data on former or future employees in addition to the authorization in the previous example.

For the following examples, assume the system date is February 6, 2014:

Example 1: If you enter the value D, the user is only authorized to access P2. Since the user in this case only has authorization for objects in the structure valid on February 6, 2014 and since the relationship between S1 and P1 ends before February 6, 2014, the user is not granted access to P1.

Example 2: If you enter the value BLANK, the user is authorized to access P1 and P2.

Function Module

When you define a structural authorization, you can specify a function module, which dynamically determines a root object during runtime.

In the area in which you have specified the organizational assignment to be determined dynamically, do not make an entry in the Object ID field of the structural authorization. However, make sure you enter a plan version and an object type.

The advantage of using function modules is that a user-specific profile is created by the dynamic definition of a root object at runtime. If a manager changes departments, for example, the corresponding profile does not need to be changed. The number of structural authorizations can be significantly reduced by using function modules.

There are two function modules in the standard system:

  • RH_GET_MANAGER_ASSIGNMENT (Determine Organizational Units for Manager). This function module determines the root object of the organizational unit to which the user is assigned by the A012 relationship ( manages). This function module works on the basis of a key date and can determine only the organizational units assigned to the user as manager on the key date or within the specified period.

  • RH_GET_ORG_ASSIGNMENT (Organizational Assignment) This function module determines the organizational unit assigned to the user organizationally as the root object.

Examples of Structural Authorization Profiles

Example 1: Profile SP1: Due to the user’s authorization profile, the user is authorized to access plan version "01".

Example 2: Profile SP2: Due to the user’s authorization profile, the user is authorized to access organizational units in plan version "01"

Example 3: Profile SP3: Due to the user’s authorization profile, the user is authorized to access organizational units in plan version "01" from a root object (entry in the Object ID field) along the "Organizational Structure" evaluation path.

Example 4: Profile SP4: Due to the user's authorization profile, the user is authorized to access organizational units in the structure valid on the current day in plan version "01" from root object 200.

Example 5: Profile SP5: Due to the user's authorization profile, the user is authorized to access objects in plan version "01" from a root object along the Staffing Assignments Along Organizational Structure evaluation path. The root object is determined in this case using the function module. No entry should be made in the Object ID field. The user is then granted access authorization to the organizational unit he or she manages and to all lower-level objects along the SBESX evaluation path.

Show Authorization Views

You can call the RHAUTH01 report by clicking Info. This program lists the objects contained in the structural authorization.

Assignment of Structural Authorizations

25.05.2021

Structural profiles are assigned in a different way than general authorization profiles. To assign structural profiles, you use table T77UA and not the Profile Generator (transaction code PFCG) as with general authorization profiles.

First, the system searches at runtime for entries in table T77UA for the current user. If one or more entries exist, the set of objects is mapped according to the profile definition. The set of objects is then checked against the concrete object and the action (Display or Edit). The authorization is granted only if the object to be checked exists with the necessary processing indicator in the set of objects.

Note

If table T77UA does not contain an entry for the current user, the preceding check is made in the same way for the entrySAP* in table T77UA. If still no entry exists, the authorization is denied. In the standard system, there is an entry for user SAP* with the profile ALL. This means that when you first implement the HR components, all users have complete authorization as far as structural authorization is concerned.

You can edit this table in Customizing by choosing: Personnel Management > Organizational Management > Basic Settings > Authorization Management > Structural Authorization > Assign Structural Authorization.

Learning

SAP FacebookSAP YoutubeSAP LinkedIn